I'm trying to understand the implication of the Binder Keys in in a TLS 1.3 resumed handshake. The TLS 1.3 RFC provides an additional RFC with example traces to validate all the math in a TLS 1.3 handshake. I'm using this example trace to try to re-create the binder keys to understand what went into them.
One of the example traces is a Resumed 0-RTT Handshake trace (section 4 in the linked RFC). This is the handshake trace which this question revolves around. Specifically the {client} calculate PSK binder section, which I am quoting below (with modified formatting).
The relevant section provides these values for the calculations:
{client} calculate PSK binder:
ClientHello prefix (477 octets):
01 00 01 fc 03 03 1b c3 ce b6 bb e3 9c ff 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 9d 78 76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 34 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 fa d6 aa cb
binder hash (32 octets):
63 22 4b 2e 45 73 f2 d3 45 4c a8 4b 9d 00 9a 04 f6 be 9e 05 71 1a 83 96 47 3a ef a0 1e 92 4a 14
PRK (32 octets):
69 fe 13 1a 3b ba d5 d6 3c 64 ee bc c3 0e 39 5b 9d 81 07 72 6a 13 d0 74 e3 89 db c8 a4 e4 72 56
hash (0 octets):
(empty)
info (18 octets):
00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00
expanded (32 octets):
55 88 67 3e 72 cb 59 c8 7d 22 0c af fe 94 f2 de a9 a3 b1 60 9f 7d 50 e9 0a 48 22 7d b9 ed 7e aa
finished (32 octets):
3a dd 4f b2 d8 fd f8 22 a0 ca 3c f7 67 8e f5 e8 8d ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f 9d
On this list, here are the values I can re-calculate and understand:
The ClientHello is provided as a hex dump of what would be sent in the wire.
The ServerHello (not quoted above) later confirms the cipher selection is 0x1301, which indicate a cipher of TLS_AES_128_GCM_SHA256. The hashing algorithm choice of SHA256 is responsible for many of the 32 octet length values that follow.
The PRK is an HKDF-Expand-Label operation on the EarlySecret provided earlier, the string "tls13 res binder", and an empty 32-bit hash
The info is a hex dump of the ascii string "tls13 finished"
The expanded value is a HKDF-Expand operation using the PRK and info values above
Which leaves the binder hash and finished values -- these values I cannot seem to recreate successfully, so I'm turning to this community for a little help.
What values are combined, and in what operation(s), in order to create the binder hash and the finished values from this example traces?
